Data ONTAP Discussions

Highlighted

vulnerability

Hi Team,

 

Looking for solution for vurnabilities please check attached file for details.

 

NetApp Release 8.2.3P3 7-Mode: Tue Apr 28 14:48:22 PDT 2015

 

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

 

  - A security bypass vulnerability exists due to improper     restriction of access to the console and web management     interfaces. An unauthenticated, remote attacker can     exploit this, via direct requests, to bypass     authentication and gain administrative access.

    (CVE-2007-1036)

 

  - A remote code execution vulnerability exists due to the     JMXInvokerHAServlet and EJBInvokerHAServlet invoker     servlets not properly restricting access to profiles. An     unauthenticated, remote attacker can exploit this to     bypass authentication and invoke MBean methods,     resulting in the execution of arbitrary code.

    (CVE-2012-0874)

 

  - A remote code execution vulnerability exists in the     EJBInvokerServlet and JMXInvokerServlet servlets due to     the ability to post a marshalled object. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to install arbitrary     applications. Note that this issue is known to affect     McAfee Web Reporter versions prior to or equal to     version 5.2.1 as well as Symantec Workspace Streaming     version 7.5.0.493 and possibly earlier.

    (CVE-2013-4810)

 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

 

4 REPLIES 4

Re: vulnerability

Time to upgrade to 8.2.5p2

Re: vulnerability

Thank you very much  team , but could you also  help me with any technote which could justify the same 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

Re: vulnerability

Please check https://security.netapp.com/advisory/. If it's not listed here, I'd open a Support case.

Re: vulnerability

A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810
Forums